Synchronize configuration to a peer SRX

November 13, 2018, 12:35 pm

≫ Next: Default ipv6 loopback address, lo0.0 question!!!!

≪ Previous: Help with new Unified Security Policy - Applications as match criteria

Hi,

I am sorry if this is a dumb question! New to Juniper!

I have a pair of SRX1500 clustered in HA. Now I am adding a config in active FW, it looks like when I do a commit the config is not propagating to peer SRX.

An Example:

user@SRX1500> show configuration system ntp
server 10.10.x.x prefer;
server 10.10.x.x;

{primary:node0}
user@SRX1500> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2018-11-13 13:29:38 MST
Time Source:  NTP CLOCK
System booted: 2018-05-09 14:08:52 MDT (26w6d 00:20 ago)
Protocols started: 2018-05-09 14:08:53 MDT (26w6d 00:20 ago)
Last configured: 2018-11-13 13:21:05 MST (00:08:33 ago) by user
 1:29PM  up 188 days, 21 mins, 1 user, load averages: 0.04, 0.05, 0.01

node1:
--------------------------------------------------------------------------
Current time: 2018-11-13 13:25:16 MST
Time Source:  LOCAL CLOCK -------> NTP IS MISSING HERE!!
System booted: 2018-05-09 14:06:52 MDT (26w6d 00:18 ago)
Last configured: 2018-11-13 13:19:45 MST (00:05:31 ago) by user
 1:25PM  up 188 days, 18 mins, 1 user, load averages: 0.00, 0.00, 0.00

{primary:node0}
user@SRX1500>

The 2nd FW is not getting the NTP config. Do I have to do a 'commit synchronize-peers' everytime to overcome this issue?

↧

Default ipv6 loopback address, lo0.0 question!!!!

November 13, 2018, 9:13 pm

≫ Next: Routing between 2 different AWS VPCs

≪ Previous: Synchronize configuration to a peer SRX

I have setup my loopback, it works fine. I let the SRX allocate the address for starters

just to see what it produced. This is fine because it is best to let loopback do its own

work as far as the SRX is concerned. This question is only about the address it alots

by itself. It isnt about what i have added.

fe80::2a8a:1c0f:fc40:1500

I want to make the address that it allocates automatically, into a static address, for obvious reasons.

My question is this.

Is the prefix a /64 , /128 or what? Im not worried about a real detailed explanation but

i'd like to know how it decides this. Is it route driven(/64)? My config is all /64 except

where /128 is needed such as ndp-proxy and others. Is it loopback(64 or higher) driven?

It isnt a /128 most likely because the default loopback ipv6 is obviously ::1/128 .

Here is my output....

It is the second to last line in the command output.

It is a local address on the SRX.

xxxxxx@MySRX240> show interfaces lo0.0 extensive
Logical interface lo0.0 (Index 67) (SNMP ifIndex 16) (Generation 132)
    Flags: SNMP-Traps Encapsulation: Unspecified
    Traffic statistics:
     Input bytes :                    0
     Output bytes :                    0
     Input packets:                    0
     Output packets:                    0
    Local statistics:
     Input bytes :                    0
     Output bytes :                    0
     Input packets:                    0
     Output packets:                    0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng
    router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet
    reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        0
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: Unlimited, Generation: 144, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: None
        Destination: Unspecified, Local: 127.0.0.1, Broadcast: Unspecified, Generation: 142
    Protocol inet6, MTU: Unlimited, Generation: 145, Route table: 0
      Flags: None
      Addresses, Flags: Primary Preferred
        Destination: Unspecified, Local: ::1
    Generation: 144
      Addresses, Flags: Preferred Is-Default Is-Preferred Is-Primary
        Destination: 800:4156:1545:800d::/80, Local: 800:4156:1545:800d::1
    Generation: 146
      Addresses, Flags: Preferred Is-Preferred
        Destination: 1000:82ab::/112, Local: 1000:82ab::1
    Generation: 148
      Addresses, Flags: Preferred Is-Preferred
        Destination: 1800::/96, Local: 1800::1
    Generation: 150
        Destination: Unspecified, Local: fe80::2a8a:1c0f:fc40:1500
    Generation: 152

Your answers are greatly appreciated.....

↧

Routing between 2 different AWS VPCs

November 14, 2018, 7:47 pm

≫ Next: PPPoE(IPv4) and DHCPv6 work on same interface?

≪ Previous: Default ipv6 loopback address, lo0.0 question!!!!

I have two different VPCs connected to my SRX240 and they are located in zones oregon-dmz and oregon-stage. I also have a trust zone that my users sit in. I can route traffic successfully from my trust zone to either dmz or stage but when the traffic comes down from either one I can't successfully route the traffic. I was originally going to get complicated with BGP, prefix lists and exporting policy-options but thought I'd just get my proof of concept with static routes working first and then I'd muck up the works. Needless to say I've bloodied my desk from banging my head on it and would appreciate if someone with fresh eyes could look at my config and tell me what I'm doing wrong. My DMZ VPC is 172.10.0.0/20 and my Stage VPC is 172.10.48.0/20. My trust subnet is 10.36.0.0/24

# show
## Last changed: 2018-11-14 17:46:55 PST
version 12.1X44-D40.2;
system {}
interfaces {
interface-range interfaces-trusted {
member ge-0/0/9;
member ge-0/0/8;
member ge-0/0/10;
member ge-0/0/11;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trusted;
}
}
}
}

st0 {

unit 104 {
family inet {
mtu 1436;
address 169.254.x.x/30;
}
}
unit 105 {
family inet {
mtu 1436;
address 169.254.x.X/30;
}
}
unit 106 {
family inet {
mtu 1436;
address 169.254.x.X/30;
}
}
unit 107 {
family inet {
mtu 1436;
address 169.254.x.X/30;
}
}
}
vlan {
unit 100 {
family inet {
address 10.36.0.10/24;
}
}

}
}
snmp {}
routing-options {

static {

route 172.30.0.0/20 next-hop st0.104;
route 172.30.48.0/20 next-hop st0.106;
}

}
protocols {
bgp {
group ebgp {
type external;
advertise-peer-as;
peer-as 7224;

neighbor 169.254.x.x {
description Oregon-DMZ-Tunnel2;
hold-time 30;

peer-as 7224;
local-as 65000;
}
neighbor 169.254.x.x {
description Oregon-DMZ-Tunnel1;
hold-time 30;

peer-as 7224;
local-as 65000;
}
neighbor 169.254.x.x {
description Oregon-Stage-Tunnel1;
hold-time 30;

peer-as 64512;
local-as 65000;
}
neighbor 169.254.x.x {
description Oregon-Stage-Tunnel2;
hold-time 30;

peer-as 64512;
local-as 65000;
}
}
}
ospf {}
}
policy-options {}
security {}

policies {
from-zone trust to-zone oregon-stage {
policy 1512_11132018 {
description "Default allow policy for Oregon Stage";
match {
source-address any;
destination-address any;
application [ junos-icmp-all microsoft-rdp ];
}
then {
permit;
log {
session-init;
}
}
}
policy trust-to-mgmt_access {
description "Mgmt access to firewalls";
match {
source-address any;
destination-address [ rtr-or-west2b-stage rtr-or-west2a-stage ];
application [ junos-https junos-ssh junos-http ];
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone oregon-stage to-zone trust {
policy stage-to-trust {
description "ICMP Allow All";
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
log {
session-init;
}
}
}
policy firewall-to-trust {
description "Mgmt protocols from Firewalls";
match {
source-address [ rtr-or-west2a-stage rtr-or-west2b-stage ];
destination-address any;
application [ junos-ntp junos-syslog ];
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone oregon-dmz {
policy default {
description "allow all. Delete at first opportunity";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
policy 2003_11132018 {
description "Ticket #6204";
match {
source-address any;
destination-address srvw-mail02;
application [ junos-icmp-all microsoft-rdp junos-smtp ];
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone oregon-dmz to-zone trust {
policy default {
description "allow all. Delete at first opportunity";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone oregon-stage to-zone oregon-dmz {
policy 1527_11142018 {
description "Default allow policy stage to dmz";
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
log {
session-init;
}
}
}
policy 1548_11142018 {
description "Ticket #6214";
match {
source-address [ LAN-west2a-stage LAN-west2b-stage ];
destination-address srvw-dc03;
application [ junos-dns-tcp junos-dns-udp junos-ms-rpc-tcp junos-ms-rpc-udp junos-nbname tcp137 junos-nbds junos-smb udp445 junos-ldap udp389 tcp636 tcp3268 tcp3269 tcp88 udp88 tcp5722 tcp464 udp464 ];
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone oregon-dmz to-zone oregon-stage {
policy 1541_11142018 {
description "Default allow policy dmz to stage";
match {
source-address any;
destination-address any;
application junos-icmp-all;
}
then {
permit;
log {
session-init;
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust {

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
}
}
interfaces {
vlan.100 {
host-inbound-traffic {
system-services {
all;
snmp;
snmp-trap;
}
}
}
}
}
security-zone untrust {

}
security-zone oregon-stage {
address-book {
address west2a-web01 172.10.50.95/32;
address west2a-app01 172.10.50.100/32;
address rtr-or-west2a-stage 172.10.50.110/32;
address rtr-or-west2b-stage 172.10.50.126/32;
address LAN-west2a-stage 172.10.50.96/28;
address LAN-west2b-stage 172.10.50.112/28;
}
interfaces {
st0.106 {
host-inbound-traffic {
system-services {
ike;
all;
}
protocols {
bgp;
ospf;
all;
}
}
}
st0.107 {
host-inbound-traffic {
system-services {
ike;
all;
}
protocols {
ospf;
bgp;
all;
}
}
}
}
}
security-zone oregon-dmz {
address-book {
address srvw-mail02 172.10.3.20/32;
address srvw-dc03 172.10.3.181/32;
}
interfaces {
st0.104 {
host-inbound-traffic {
system-services {
ike;
all;
}
protocols {
bgp;
ospf;
all;
}
}
}
st0.105 {
host-inbound-traffic {
system-services {
ike;
all;
}
protocols {
ospf;
bgp;
all;
}
}
}
}
}
}
}
firewall {
applications {

}
vlans {

vlan-trusted {
vlan-id 100;
l3-interface vlan.100;
}
}

↧

PPPoE(IPv4) and DHCPv6 work on same interface?

November 14, 2018, 11:02 pm

≫ Next: SRX340 15.1.X49 D150.2 PPPoE will not get passed PADI sent, whatever I try , and have been at it for a week full time now

≪ Previous: Routing between 2 different AWS VPCs

I want to working PPPoE(IPv4) and DHCPv6 on same interface.
Is it possible?
IPv4 and IPv6 are same vlan-id, so I think can't use vlan-tagging is unmatch.

(sample)
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces ge-0/0/0 unit 1 family inet6 dhcpv6-client client-type statefull
set interfaces ge-0/0/0 unit 1 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 1 family inet6 dhcpv6-client client-identifier duid-type duid-ll

(error message)

'unit 1'
Only unit 0 is valid for this encapsulation

model Smiley Frustrated RX210
version:12.1X46-D35.1

Thanks.

↧

SRX340 15.1.X49 D150.2 PPPoE will not get passed PADI sent, whatever I try , and have been at it for a week full time now

November 15, 2018, 7:18 am

≫ Next: Default ipv6 loopback address, lo0.0 question!!!! REVISITED.

≪ Previous: PPPoE(IPv4) and DHCPv6 work on same interface?

I am ready to junk this box, throw it out of the window, hit the vendor etc. This is getting ridiculous.

I have a brand new location here, with a brand-new KPN supplied 500mbit fiber, supplied via an Alcatel Edge switch.

KPN brought in their own Cisco 897 pos router to show the connection is up and working and so prove that the problem is not theirs, but is the SRX (which is not Cisco, so they do not support it unless they sold it to me). Hopeless, hapless, helpless in fact.

So, for a week I have tried everything to get PPPoE up with their specs for the Cisco configuration emulated as much as possible. No joy, never gets passed PADI sent (see log). I even tried to set up IPoE but could not figure out how to do this as it required using KPNs CPE IP-address as the gateway which I could not imagine where to enter.

Here is a snippet of the log that has replicateed itself all day for the last 5 days or so.

Nov 15 14:36:04 IO send ... Packet resend for pp0.0
Nov 15 14:36:22 IO send ... Packet resend for pp0.0
Nov 15 14:36:55 IO send ... Packet resend for pp0.0
Nov 15 14:38:01 Discovery phase timedout for intf pp0.0
Nov 15 14:38:05 ***Discovery Init: pp0.0
Nov 15 14:38:05 allocated 1510 bytes at 0x4fe000
Nov 15 14:38:05 *totlen=0x6 tp->len=0x2 ntohs(tplen)=0x2 tot=0x6 MAX_L=0x1502
Nov 15 14:38:05 *totlen=0xa tp->len=0x0 ntohs(tplen)=0x0 tot=0xa MAX_L=0x1502
Nov 15 14:38:05 IO send ... PADI for pp0.0
Nov 15 14:38:08 IO send ... Packet resend for pp0.0
Nov 15 14:38:13 IO send ... Packet resend for pp0.0
Nov 15 14:38:22 IO send ... Packet resend for pp0.0
Nov 15 14:38:39 IO send ... Packet resend for pp0.0
Nov 15 14:39:12 IO send ... Packet resend for pp0.0
Nov 15 14:40:18 Discovery phase timedout for intf pp0.0
Nov 15 14:40:22 ***Discovery Init: pp0.0
Nov 15 14:40:22 allocated 1510 bytes at 0x4fe000
Nov 15 14:40:22 *totlen=0x6 tp->len=0x2 ntohs(tplen)=0x2 tot=0x6 MAX_L=0x1502
Nov 15 14:40:22 *totlen=0xa tp->len=0x0 ntohs(tplen)=0x0 tot=0xa MAX_L=0x1502
Nov 15 14:40:22 IO send ... PADI for pp0.0
Nov 15 14:40:25 IO send ... Packet resend for pp0.0
Nov 15 14:40:30 IO send ... Packet resend for pp0.0
Nov 15 14:40:39 IO send ... Packet resend for pp0.0
Nov 15 14:40:57 IO send ... Packet resend for pp0.0
Nov 15 14:41:30 IO send ... Packet resend for pp0.0
Nov 15 14:42:36 Discovery phase timedout for intf pp0.0
Nov 15 14:42:40 ***Discovery Init: pp0.0
Nov 15 14:42:40 allocated 1510 bytes at 0x4fe000
Nov 15 14:42:40 *totlen=0x6 tp->len=0x2 ntohs(tplen)=0x2 tot=0x6 MAX_L=0x1502
Nov 15 14:42:40 *totlen=0xa tp->len=0x0 ntohs(tplen)=0x0 tot=0xa MAX_L=0x1502
Nov 15 14:42:40 IO send ... PADI for pp0.0
Nov 15 14:42:43 IO send ... Packet resend for pp0.0
Nov 15 14:42:48 IO send ... Packet resend for pp0.0
Nov 15 14:42:57 IO send ... Packet resend for pp0.0
Nov 15 14:43:14 IO send ... Packet resend for pp0.0
Nov 15 14:43:47 IO send ... Packet resend for pp0.0

this goes on forever

the config in use is attached.

Now, could you please please help me out of the morass and get this to work? Our oprtaions are now halted due to....lack of internet.

2 questions: how to get PPPoE up and what about IPoE, which seems a much better solution to me.

I will be pleased with any and all advice! Do not mind the config, I know it is sloppy; I want the connection up, security comes after.

↧

Default ipv6 loopback address, lo0.0 question!!!! REVISITED.

November 16, 2018, 3:43 am

≫ Next: Security Flow Sessions & Routing Failover

≪ Previous: SRX340 15.1.X49 D150.2 PPPoE will not get passed PADI sent, whatever I try , and have been at it for a week full time now

I have let my SRX decide the local link loopback in the lo0.0 interface so that I know which address it wants to use. I then set it to a static address, scope /10 . I want to know how to calculate this properly in case I don't get an allocation.

My device address is fe80::2a8a:1cff:fe40:1510 .
That is the address I started using because I caught it allocating this.

The link loopbacks address is,
fe80::2a8a:1c0f:fc40:1500 .
I get that this is link local.

I want to calculate this. I understand about 0f:fc , which is similar to the calc for mac to IPV6 conversion.

My question is this....
Why is the address 10 units lower at the end?

I.e. 1510 and 1500

What about other Macs. Should I just only do the insertion to the management interface. Should I reduce by some amount of units the end if the Mac. Is there a procedure for this?

Am I now making a mistake in using the 1510 ?

Any suggestions are appreciated.

↧

Security Flow Sessions & Routing Failover

November 16, 2018, 7:37 am

≫ Next: SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

≪ Previous: Default ipv6 loopback address, lo0.0 question!!!! REVISITED.

This question is for SRX1500 series.

We have two connections to our provider, with BGP. When one neighbor goes down, the traffic fails over to the 2nd circuit, and everything is fine. I believe the SRX must tear down the flow sessions once the route is pulled out of the RIB?

Our problem is when the primary circuit comes back up in a short period of time, like a neighbor Flap.

At this point we see the Security Flow Sessions still exist on the backup circuit, even though the new best path is back on the primary circuit. This is resulting in the SRX dropping packets. It's fixed by us when we clear security flow sessions on the backup circuit. So I'm thinking we have an issue where flapping BGP neighbors cause problems on our SRX.

What is the recommended practice for fixing this? I know the bigger problem is that the BGP Neighbor is flapping occasionally, and we're trying to work with our provider to fix that. But we want to soften the blow when a flap like that happens, is there a command we can put in where the security flow sessions will terminate and re-create on the primary circuit when it comes back online?

Thanks!

↧

SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

November 16, 2018, 11:42 am

≫ Next: Juniper SRX configure archiving to a FTP server

≪ Previous: Security Flow Sessions & Routing Failover

Hello,

I'm looking for help in that I cannot ping anything on the internet via IPv6 from an internal IPv4/IPv6 VLAN Segment.
My VLAN.7 is configured with globally routable IPv6 and from it I can ping it's /64 gateway, and my routers last hop before the ISP. From the SRX router I can ping everywhere IPv6, including my internal VLAN.7 IPv6 users, ISP, OPENDNS IPv6 etc. But alas, from that VLAN I cannot reach the internet IPv6.

My internal polices and zones are configured for ANY ANY PERMIT from my Internal Zone to Internet Zone.

Any help would be greatly appreciated. Thank you in adavance!

Policy:

From zone: Internal, To zone: Internet
Policy: InternalTOInternet, State: enabled, Index: 21, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

Security Zone:

Security zone: Internal
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 10
Interfaces:
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
st0.1
vlan.1
vlan.2
vlan.5
vlan.7

Routes:

inet6.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Static/5] 01:18:15
> to 2001:438:fffe::f69 via ge-0/0/0.0
2001:438:2d:10::/64*[Direct/0] 01:18:15
> via vlan.7
2001:438:2d:10::1/128
*[Local/0] 01:18:32
Local via vlan.7
2001:438:2d:40::/64*[Direct/0] 01:18:15
> via vlan.5
2001:438:2d:40::1/128
*[Local/0] 01:18:32
Local via vlan.5
2001:438:fffe::f68/126
*[Direct/0] 01:18:15
> via ge-0/0/0.0
2001:438:fffe::f6a/128
*[Local/0] 01:18:21
Local via ge-0/0/0.0
fe80::/64 *[Direct/0] 01:18:15
> via ge-0/0/0.0
[Direct/0] 01:18:15
> via vlan.5
[Direct/0] 01:18:15
> via vlan.7
fe80::3e61:4ff:fe98:4440/128
*[Local/0] 01:18:21
Local via ge-0/0/0.0
fe80::3e61:4ff:fe98:4448/128
*[Local/0] 01:18:32
Local

↧

Juniper SRX configure archiving to a FTP server

November 17, 2018, 5:26 am

≫ Next: IPsec Tunnel between cisco ASA and SRX.. Getting error : IKE negotiation failed with error: No proposal chosen

≪ Previous: SRX220 Cannot ping the ISP or Internet using IPv6 from user Lan Segment

I have a problem when I commit new configuration My device connect to FTP server but does not logging to FTP server.

Configuration:

set system archival configuration transfer-on-commit
set system archival configuration archive-sites "ftp://user:123456@192.168.5.79"

set security zones security-zone Outside host-inbound-traffic system-services all
set security zones security-zone Outside host-inbound-traffic protocols all
set security zones security-zone Outside interfaces vlan.3 host-inbound-traffic system-services all
set security zones security-zone Outside interfaces vlan.3 host-inbound-traffic protocols all

and messages on FTP server:

(000496)11/17/2018 14:40:18 PM - (not logged in) (192.168.254.2)> Connected on port 21, sending welcome message...
(000496)11/17/2018 14:40:18 PM - (not logged in) (192.168.254.2)> 220-FileZilla Server 0.9.60 beta
(000496)11/17/2018 14:40:18 PM - (not logged in) (192.168.254.2)> 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
(000496)11/17/2018 14:40:18 PM - (not logged in) (192.168.254.2)> 220 Please visit https://filezilla-project.org/
(000496)11/17/2018 14:40:37 PM - (not logged in) (192.168.254.2)> disconnected.

Thanks for your help.

↧

IPsec Tunnel between cisco ASA and SRX.. Getting error : IKE negotiation failed with error: No proposal chosen

November 18, 2018, 9:31 pm

≫ Next: SRX custom attack SIP header analysis

≪ Previous: Juniper SRX configure archiving to a FTP server

Hi Team,

I am building the tunnels between Cisco ASA and SRX fw on LAB.. I see phase 1 is up on both end FW's but phase 2 is not getting up and i see errors log as below

show log KMD-logs on SRX end.---

Nov 19 10:42:24 NDC9C-SRX kmd[1088]: Config download: Processed 5 - 6 messages
Nov 19 10:42:24 NDC9C-SRX kmd[1088]: Config download time: 0 seconds
Nov 19 10:42:51 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:43:24 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:43:56 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:43:57 NDC9C-SRX kmd[1088]: Config download: Processed 6 - 7 messages
Nov 19 10:43:57 NDC9C-SRX kmd[1088]: Config download time: 0 seconds
Nov 19 10:44:29 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:45:02 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:45:34 NDC9C-SRX kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN-9C Gateway: IKE-GATEWAY-9C, Local: 1.1.1.1/500, Remote: 1.1.1.3/500, Local IKE-ID: 1.1.1.1, Remote IKE-ID: 1.1.1.3, VR-ID: 0
Nov 19 10:47:45 NDC9C-SRX last message repeated 4 times
Nov 19 10:48:50 NDC9C-SRX last message repeated 2 times'

errors from ASA end:

Nov 19 05:24:10 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00007f2675bdc9d0, mess id 0x34d9dd85)!
Nov 19 05:24:10 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Nov 19 05:24:10 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service

------------------------------------------------------SRX config---------------------------

FW's config as below

SRX:

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 200.200.200.40/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.0.2/24
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.1/24
set routing-options static route 10.2.0.0/24 next-hop 1.1.1.3
set routing-options static route 10.2.0.0/24 resolve
set security ike traceoptions file ike-trace
set security ike traceoptions flag all
set security ike proposal IKE-SHA-AES256-DH1 authentication-method pre-shared-keys
set security ike proposal IKE-SHA-AES256-DH1 dh-group group2
set security ike proposal IKE-SHA-AES256-DH1 authentication-algorithm sha1
set security ike proposal IKE-SHA-AES256-DH1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-SHA-AES256-DH1 lifetime-seconds 86400
set security ike policy IKE-POLICY-9C mode main
set security ike policy IKE-POLICY-9C proposals IKE-SHA-AES256-DH1
set security ike policy IKE-POLICY-9C pre-shared-key ascii-text "$9$aZUkPQFnCtOQFCu0BcSx7-VwgikP"
set security ike gateway IKE-GATEWAY-9C ike-policy IKE-POLICY-9C
set security ike gateway IKE-GATEWAY-9C address 1.1.1.3
set security ike gateway IKE-GATEWAY-9C external-interface ge-0/0/3.0
set security ipsec proposal IPSEC-SHA-AES128-ESP protocol esp
set security ipsec proposal IPSEC-SHA-AES128-ESP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-SHA-AES128-ESP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-SHA-AES128-ESP lifetime-seconds 3600
set security ipsec proposal IPSEC-SHA-AES128-Eset
set security ipsec policy VPN-POLICY-SDC-9C proposals IPSEC-SHA-AES128-ESP
set security ipsec vpn VPN-9C ike gateway IKE-GATEWAY-9C
set security ipsec vpn VPN-9C ike idle-time 300
set security ipsec vpn VPN-9C ike ipsec-policy VPN-POLICY-SDC-9C
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN match source-address any
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN match destination-address any
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN match application any
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN then permit tunnel ipsec-vpn VPN-9C
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN then log session-init
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN then log session-close
set security policies from-zone trust to-zone untrust policy VPN-POLICY-9C-IN then count
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT match source-address any
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT match destination-address any
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT match application any
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT then permit tunnel ipsec-vpn VPN-9C
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT then log session-init
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT then log session-close
set security policies from-zone untrust to-zone trust policy VPN-POLICY-9C-OUT then count
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address 9C-NET-LOCAL 10.1.0.0/24
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone untrust address-book address SDC-NET-REMOTE-VPN 10.2.0.0/24
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all

------------------------------------------------------ASA config---------------------------

on ASA end fw

ciscoasa# show running-config crypto
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address SDCNDC9CALC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES128-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface OTSIDE
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
crypto ikev1 enable OTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
ciscoasa# sho
ciscoasa# show t
ciscoasa# show run
ciscoasa# show running-config | i tunn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ciscoasa#

↧

SRX custom attack SIP header analysis

November 19, 2018, 2:05 am

≫ Next: Routing instance, defaut inet.0 and route

≪ Previous: IPsec Tunnel between cisco ASA and SRX.. Getting error : IKE negotiation failed with error: No proposal chosen

Hello community,

We are trying to implement an IDP custom configuration to check our environment.

We want to inspect sip traffic to permit only certain phone numbers, but all the traffic is flowing regardless our config.

This is some relevant information from config file:

set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" description "SIP header from contains 600001"
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" match attacks custom-attacks VOIPIP:AUDIT:HEADER-ATS-CODE-600001
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then action drop-connection
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then severity info

set security idp custom-attack VOIPIP:AUDIT:HEADER-DDATMCS severity info
set security idp custom-attack VOIPIP:AUDIT:HEADER-DDATMCS attack-type signature context sip-header-from
set security idp custom-attack VOIPIP:AUDIT:HEADER-DDATMCS attack-type signature pattern ddatmcs
set security idp custom-attack VOIPIP:AUDIT:HEADER-DDATMCS attack-type signature direction client-to-server
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100001 severity info
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature context sip-header-from
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature pattern 100001
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature direction client-to-server
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100002 severity info
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature context sip-header-from
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature pattern 100002
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature direction client-to-server
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600001 severity info
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature context sip-header-from
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature pattern *600001*
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature direction client-to-server
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600002 severity info
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature context sip-header-from
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature pattern 600002
set security idp custom-attack VOIPIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature direction client-to-server

set security policies global policy SIP_OUT description VoiP
set security policies global policy SIP_OUT match source-address VCS_Vlan21
set security policies global policy SIP_OUT match destination-address VCS_Vlan21_site1
set security policies global policy SIP_OUT match destination-address Wan_Router
set security policies global policy SIP_OUT match destination-address VCS_Vlan21_Site2
set security policies global policy SIP_OUT match application junos-sip
set security policies global policy SIP_OUT then permit application-services idp-policy IPS_SIP
set security policies global policy SIP_OUT then log session-init
set security policies global policy SIP_OUT then log session-close
set security policies global policy SIP_OUT then count

As I said the calls are working.

This is an example:

Call capture.JPG

I am not sure if I wrote wrong the pattern or it's another problem.

I tried with some different patterns, like .*600001.* but the call always progresses.

Besides L4 filtering, we want to inspect telephone number, and to be able to filter by a range of numbers.

Could somebody help me?

Thanks

↧

Routing instance, defaut inet.0 and route

November 20, 2018, 1:32 am

≫ Next: Carrier Grade NAT || SRX5K

≪ Previous: SRX custom attack SIP header analysis

Hello,

I'm having trouble to correctly setup my SRX340 (15.1X49-D150.2). I have two routing-instace, each of them using a specific WAN (one for LAN, other for WIFI). I work great and I have to separate network.

But I'm having trouble to correctly route packets for basic services like NTP sync:

root@srx> set date ntp
20 Nov 10:03:16 ntpdate[38625]: no server suitable for synchronization found

Looking at this doc ( https://kb.juniper.net/InfoCenter/index?page=content&id=KB31654&actp=RSS ), it should be because the SRX could not found any route.

root@srx> show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 3d 17:14:18
 to table RouteLANInternet.inet.0
192.168.1.1/32 *[Local/0] 5d 21:14:15
 Reject

RouteLANInternet.inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 4d 16:07:15
> via pp0.0
10.3.0.0/21 *[Static/5] 5d 21:14:09
> via st0.0
X.X.X.0/22 *[Direct/0] 4d 16:07:33
> via ge-0/0/4.0
X.X.X.91/32 *[Local/0] 4d 16:07:33
 Local via ge-0/0/4.0
Z.Z.Z.0/24 *[Direct/0] 5d 21:13:05
> via ge-0/0/6.0
Z.Z.Z.47/32 *[Local/0] 5d 21:13:05
 Local via ge-0/0/6.0
Y.Y.Y.47/32 *[Local/0] 4d 16:07:15
 Local via pp0.0
192.168.30.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/3.0
192.168.30.1/32 *[Local/0] 5d 21:13:29
 Local via ge-0/0/3.0
192.168.33.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/1.0
192.168.33.10/32 *[Local/0] 5d 21:13:29
 Local via ge-0/0/1.0
192.168.88.0/24 *[Direct/0] 5d 21:13:31
> via ge-0/0/15.0
192.168.88.8/32 *[Local/0] 5d 21:13:33
 Local via ge-0/0/15.0
192.168.89.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/2.0
192.168.89.1/32 *[Local/0] 5d 21:13:29
 Local via ge-0/0/2.0
193.253.160.3/32 *[Direct/0] 4d 16:07:15
> via pp0.0

RouteWifiCameraInternetOrange.inet.0: 42 destinations, 43 routes (42 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 4d 16:07:32
> to X.X.X.1 via ge-0/0/4.0
 [Access-internal/12] 5d 21:12:50
> to Z.Z.Z.254 via ge-0/0/6.0
X.X.X.0/22 *[Direct/0] 4d 16:07:33
> via ge-0/0/4.0
X.X.X.91/32 *[Local/0] 4d 16:07:33
 Local via ge-0/0/4.0
Z.Z.Z.0/24 *[Direct/0] 5d 21:13:05
> via ge-0/0/6.0
Z.Z.Z.47/32 *[Local/0] 5d 21:13:05
 Local via ge-0/0/6.0
Y.Y.Y.47/32 *[Local/0] 4d 16:07:15
 Local via pp0.0
192.168.30.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/3.0
192.168.30.1/32 *[Local/0] 5d 21:13:34
 Local via ge-0/0/3.0
192.168.30.50/32 *[Access-internal/12] 5d 10:06:02
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.51/32 *[Access-internal/12] 5d 09:24:53
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.52/32 *[Access-internal/12] 5d 09:24:52
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.53/32 *[Access-internal/12] 5d 09:24:55
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.54/32 *[Access-internal/12] 5d 09:24:55
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.55/32 *[Access-internal/12] 5d 16:41:36
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.56/32 *[Access-internal/12] 5d 16:37:29
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.57/32 *[Access-internal/12] 5d 09:24:52
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.58/32 *[Access-internal/12] 5d 09:24:53
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.59/32 *[Access-internal/12] 5d 09:24:53
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.60/32 *[Access-internal/12] 5d 09:24:53
> to 192.168.30.1 via ge-0/0/3.0
192.168.30.99/32 *[Access-internal/12] 5d 09:24:54
> to 192.168.30.1 via ge-0/0/3.0
192.168.33.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/1.0
192.168.33.10/32 *[Local/0] 5d 21:13:34
 Local via ge-0/0/1.0
192.168.33.100/32 *[Access-internal/12] 5d 21:13:07
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.101/32 *[Access-internal/12] 5d 21:13:06
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.110/32 *[Access-internal/12] 5d 09:24:48
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.111/32 *[Access-internal/12] 5d 09:24:47
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.116/32 *[Access-internal/12] 1d 01:47:23
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.117/32 *[Access-internal/12] 1d 01:30:42
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.118/32 *[Access-internal/12] 1d 01:19:32
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.119/32 *[Access-internal/12] 1d 01:00:56
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.120/32 *[Access-internal/12] 1d 00:57:33
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.121/32 *[Access-internal/12] 1d 00:55:31
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.122/32 *[Access-internal/12] 1d 00:51:54
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.123/32 *[Access-internal/12] 1d 00:04:37
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.124/32 *[Access-internal/12] 22:58:09
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.125/32 *[Access-internal/12] 21:39:27
> to 192.168.33.10 via ge-0/0/1.0
192.168.33.126/32 *[Access-internal/12] 20:20:37
> to 192.168.33.10 via ge-0/0/1.0
192.168.88.0/24 *[Direct/0] 5d 21:13:31
> via ge-0/0/15.0
192.168.88.8/32 *[Local/0] 5d 21:13:31
 Local via ge-0/0/15.0
192.168.89.0/24 *[Direct/0] 5d 21:13:29
> via ge-0/0/2.0
192.168.89.1/32 *[Local/0] 5d 21:13:34
 Local via ge-0/0/2.0
193.253.160.3/32 *[Direct/0] 4d 16:07:15
> via pp0.0

Here is my config :

routing-options {
    static {
        route 0.0.0.0/0 next-table RouteLANInternet.inet.0;
     }
    rib-groups {
        LAN-External {
            import-rib [ RouteWifiCameraInternetOrange.inet.0 RouteLANInternet.inet.0 ];
        }
    }
    forwarding-table {
        export load-balancing-policy;
    }
}

(...)
routing-instances {
    RouteLANInternet {
        instance-type virtual-router;
        interface ge-0/0/5.0;
        interface ge-0/0/15.0;
        interface pp0.0;
        interface st0.0;
        routing-options {
            interface-routes {
                rib-group inet LAN-External;
            }
            # le lan sort sur le lien Orange
            static {
                route 10.3.0.0/21 next-hop st0.0;
                route 0.0.0.0/0 next-hop pp0.0;
            }
        }
    }
    RouteWifiCameraInternetOrange {
        instance-type virtual-router;
        interface ge-0/0/1.0;
        interface ge-0/0/2.0;
        interface ge-0/0/3.0;
        interface ge-0/0/4.0;
        interface ge-0/0/6.0;
        routing-options {
            interface-routes {
                rib-group inet LAN-External;
            }
            static {
                route 0.0.0.0/0 next-hop X.X.X.91;
            }
        }
    }
}

I'm using RIB group to import ribs between instance, because they do need to communicate (LAN must have access to Wifi).

If I'm adding in global routing-options the default route to 0.0.0.0

static {
    route 0.0.0.0/0 next-table RouteLANInternet.inet.0;
}

Then I have a different result :

root@srx> set date ntp
20 Nov 10:19:37 ntpdate[39077]: sendto/sendmsg(195.83.132.135): No route to host
20 Nov 10:19:38 ntpdate[39077]: sendto/sendmsg(195.83.132.135): No route to host
20 Nov 10:19:39 ntpdate[39077]: sendto/sendmsg(195.83.132.135): No route to host
20 Nov 10:19:40 ntpdate[39077]: sendto/sendmsg(195.83.132.135): No route to host
20 Nov 10:19:41 ntpdate[39077]: no server suitable for synchronization found

and show route clearly shows that inet.0 does not have any route to follow :

root@srx> show route

inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.1/32     *[Local/0] 5d 21:29:05
                      Reject

I'm a bit lost for now, so any help is welcome Smiley Happy

↧

Carrier Grade NAT || SRX5K

November 20, 2018, 4:54 am

≫ Next: Publicb server to Internet

≪ Previous: Routing instance, defaut inet.0 and route

Dear Team ;

Kindly provide any guides for Carrier Grade NAT on SRX5K , ihave searched many times , but only found config on MX not SRX

↧

Publicb server to Internet

November 20, 2018, 7:17 pm

≫ Next: DHCPv6 over VDSL - Not sending, no route (or source address)?

≪ Previous: Carrier Grade NAT || SRX5K

I wan to public Webserver to internet and the code below

nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }

destination {
            pool webserver {
                address 192.168.2.10/32 port 88;
            }
            rule-set WebNat {
                from zone untrust;
                rule RuleWebNat {
                    match {
                        destination-address <public local>/32;
                        destination-port {
                            88;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                webserver;
                            }
                        }
                    }
                }
            }
        }
    }

policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

routing-options {
    static {
        route 0.0.0.0/0 next-hop [ 192.168.1.1 ];
    }
}

but it's not work, I need a help

Thank!

↧

DHCPv6 over VDSL - Not sending, no route (or source address)?

November 21, 2018, 1:56 am

≫ Next: VPN over Cisco GRE tunnel issue(s)

≪ Previous: Publicb server to Internet

Hello,

Trying to setup a simple dhcpv6 client on a SRX220H2, running 12.3X48-D75.4.

The device appears to not be sending the DHCP requests out, either due to a lack of route to the multicast target, or no source address? - have some trace data captured, bit baffled. Hoping it is something simple that is not configured correctly.

The pt-1/0/0 interface does appear to have a fe80 address, which should be enough to sort things out:

pt-1/0/0.0              up    up   inet     a.b.c.d/23
                                   inet6    fe80::6664:9bff:fe04:d2ae/64

IPv4 services are provided via DHCP over the same VDSL interface as well. Interface is located within the default routing instance, but the device does run a few.

Config extract:

user@GATE> show configuration interfaces pt-1/0/0 
traps;
vdsl-options {
    vdsl-profile 17a;
}
unit 0 {
    family inet {
        dhcp-client {
            no-dns-propagation;
            retransmission-attempt 6;
            retransmission-interval 5;
            update-server;
        }
    }
    family inet6 {
        dhcpv6-client {
            client-type statefull;
            client-ia-type ia-pd;
            update-router-advertisement {
                interface vlan.0;
            }
            client-identifier duid-type duid-ll;
            req-option fqdn;
        }
    }
}

DHCPv6 client status:

user@GATE> show dhcpv6 client binding           

IP/prefix                       Expires     State      ClientType    Interface       Client DUID
::/0                            0           INIT       STATEFUL      pt-1/0/0.0      LL0x3-64:64:9b:04:d2:ae

user@GATE> show dhcpv6 client binding detail 

Client Interface: pt-1/0/0.0
     Hardware Address:             64:64:9b:04:d2:ae
     State:                        INIT(DHCPV6_CLIENT_STATE_INIT)
     ClientType:                   STATEFUL
     Bind Type:                    IA_PD
     Preferred prefix length       0
     Sub prefix length             64
     Client DUID:                  LL0x3-64:64:9b:04:d2:ae
     Rapid Commit:                 Off
     Server Ip Address:            ::/0
     Client IP Prefix:             ::/0

Update RA interfaces:
     Interface: vlan.0

Configured traceoptions, to generate the output below:

set system processes dhcp-service traceoptions file dhcp-trace
set system processes dhcp-service traceoptions file size 10m
set system processes dhcp-service traceoptions file files 10
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag all

Debug output - of interest to me is this line:

[DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] jdhcp_v6_client_pdu_send: Failed to send 1 packet to ff02::1:2 Error=Can't assign requested address

Nov 21 15:16:51.077266 [INFO] [default:default][(null)][INET6][pt-1/0/0.0][SID=0] JDHCPD_CLIENT_EVENT: Client got event CLIENT_EVENT_LEASE_TIMEOUT in state DHCPV6_CLIENT_STATE_SELECTING
Nov 21 15:16:51.077912 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] jdhcp_v6_client_pdu_send: Preparing to send 1 PDU
Nov 21 15:16:51.078232 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] jdhcp_v6_client_pdu_send: 
Dump of 1 PDU to be sent

Nov 21 15:16:51.078572 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] >>>>>>>>>> Decode message from == ::/0 <<<<<<<<<<
Nov 21 15:16:51.078805 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ msgtype == DHCPV6-SOLICIT ]--------------------------
Nov 21 15:16:51.078988 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ len == 40 ]--
Nov 21 15:16:51.079194 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ xid == 82f6b4 ]--
Nov 21 15:16:51.079376 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ msgtype == DHCPV6-SOLICIT ]--------------------------
Nov 21 15:16:51.079568 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ len == 40 ]--
Nov 21 15:16:51.079745 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ xid == 82f6b4 ]--
Nov 21 15:16:51.079940 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ OPTION_CLIENTID 
Nov 21 15:16:51.080155 [INFO] [default:default][(null)][INET6][pt-1/0/0.0]       OPTION code   1, len  10, data 00 03 00 01 64 64 9b 04 dc ae ]--
Nov 21 15:16:51.080358 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ OPTION_IA_PD 
Nov 21 15:16:51.080530 [INFO] [default:default][(null)][INET6][pt-1/0/0.0]       OPTION code  25, len  12, iaid 0, T1 4294967295, T2 4294967295 ]--
Nov 21 15:16:51.080738 [INFO] [default:default][(null)][INET6][pt-1/0/0.0] --[ OPTION_OPT_REQ 
Nov 21 15:16:51.080934 [INFO] [default:default][(null)][INET6][pt-1/0/0.0]       OPTION code   6, len   2, data 00 27 ]--
Nov 21 15:16:51.081134 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0] dhcpv6_option_parse:     Parsing suboptions of OPTION_IA_PD - Start
Nov 21 15:16:51.081336 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0] dhcpv6_option_parse:     Parsing suboptions of OPTION_IA_PD - Done
Nov 21 15:16:51.081516 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0] dhcpv6_packet_decode: dhcpv6 pkt parsing - End
Nov 21 15:16:51.081810 DH_SVC_SENDMSG_FAILURE: sendmsg() from :: to port 547 at ff02::1:2 via interface 80 and routing instance default failed: Can't assign requested address
Nov 21 15:16:51.082212 [WARN]  dhcpv6_client_io_send_packet: sendmsg() from :: to ff02::1:2/547 via interface 80 and routing instance default failed: Can't assign requested address
Nov 21 15:16:51.082475 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] jdhcp_v6_client_pdu_send: Failed to send 1 packet to ff02::1:2 Error=Can't assign requested address
Nov 21 15:16:51.082698 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] dhcpv6_client_pdu_retransmit: retransmit send packet 1 from ifl pt-1/0/0.0
Nov 21 15:16:51.082900 [DEBUG][default:default][(null)][INET6][pt-1/0/0.0][SID=0] dhcpv6_start_lease_timer: STARTING LEASE TIMER
Nov 21 15:16:51.083073 starting lease timer for 4 seconds

If anyone has any ideas, I'm happy to try anything. Security policies/etc should be a-ok, but hey ...

Thanks!

↧

VPN over Cisco GRE tunnel issue(s)

November 21, 2018, 9:56 am

≫ Next: Set up logical systems on exsiting SRX5800

≪ Previous: DHCPv6 over VDSL - Not sending, no route (or source address)?

OK, I realise vital info may be missing, but here's what we have setup:

LAN1 -- SRX1 -- IPSEC VPN -- ||| -- CISCO1 -- GRE -- MPLS -- GRE -- CISCO2 -- ||| -- IPSECVPN -- SRX2 -- LAN2

Our network is either side of the Cisco routers. The bit in the middle is provided by a 3rd party. We use OSPF for routing. There are no specific MTU in place on any device.

At present our IPSEC VPN tunnel will only come up if there is a static route in place on SRX2 telling it how to get to CISCO1 via a local interface. CISCO2 is unable to form an OSPF adajency, whereas CISCO1 is. When the tunnel is up, it is not 'reliable' i.e. as soon as any load is paased over it pings start dropping, file transfers won't complete and all sorts of fragmentation is seen on the Cisco routers, which I think points to an MTU issue. The third party has tried setting an interface MTU of 1420 at both ends, which we've matched on our SRX devices, but this causes our IPSEC tunnel to drop and stay down. We've also tried setting the VPN MTU at 1420, but with no success either. The media type connected to CISCO1 is fibre, and at CISCO2 VDSL.

Does anyone have any experience of this kind of issue or suggestions as to how we might solve it?

↧

Set up logical systems on exsiting SRX5800

November 22, 2018, 10:49 pm

≫ Next: SRX220 - IPv6 SLAAC for a VLAN - No IPv6 DNS Configuration Available?

≪ Previous: VPN over Cisco GRE tunnel issue(s)

Hi All,

We have SRX 5800 pair running JUNOS 12.3X48 right now, and planned to add two logical systems on it.

May I know whether there is some instrucations or KBs talking about this?

Such adding steps are the same as set up new logical system on SRX or there is some differences?

To split the existing configurations into the two logical sytems, will the live traffic be impacted?

Currently we have 7 physical 10 ports woking as one LAG and several VR working on the FW pair.

Thanks in advance!

BR/ Claire

↧

SRX220 - IPv6 SLAAC for a VLAN - No IPv6 DNS Configuration Available?

November 23, 2018, 8:12 am

≫ Next: IP Monitoring Probe

≪ Previous: Set up logical systems on exsiting SRX5800

Hello,

I'm using JUNOS Software Release [12.1X46-D65.4]. I have configured IPv6 SLAAC for a VLAN segment and don't see where I can add in the IPv6 DNS Servers either on the VLAN, the System, or the VLAN Interface. I'm getting stateless IPv6 addresses on the segment, just that no IPv6 DNS servers are showing from the end user computer. Which I can understand, until I have them configured somewhere? The only place I can seem to enter IPv6 DNS servers is under the "System" configuration, but once I do that, my IPv4 DNS stops working and I still never see the IPv6 DNS on the user end. Can someone please point me as to where I can enter this data? A small snippet of my configuration below:

protocols {
router-advertisement {
interface vlan.7 {
prefix 2001:438:2d:10::/64;

unit 7 {
family inet {
address 10.10.10.1/24;
}
family inet6 {
address 2001:438:2d:10::1/64;
system {
}
name-server {
208.67.220.220;
208.67.222.222;
}
name-resolution {
no-resolve-on-input;

↧

IP Monitoring Probe

November 23, 2018, 9:24 am

≫ Next: SRX using secure wire

≪ Previous: SRX220 - IPv6 SLAAC for a VLAN - No IPv6 DNS Configuration Available?

I would like to ping 4 addresses from my SRX340 and in the event ALL 4 are unreachable, I would like to put a logical interface into a down state. If one of them becomes reachable again, I would like to put the interface back in up state. It would also be acceptable to put a physical interface into the down state.

I have read the Juniper articles about IP monitoring and this appears to be possible using RPM probes, but there is not a lot of information available on how to configure them. I can determine how to create the RPM but not how to take an action when considered unreachable.

Is what I am trying to do possible, and if so can anyone point me to resources to help configure? Is the configuration possible via JWEB or CLI only?

Thanks

↧

SRX using secure wire

November 23, 2018, 2:48 pm

≫ Next: Once peer to multiple peers VPN for route-based VPN

≪ Previous: IP Monitoring Probe

Hi community

I am interested in deploying a SRX in secure wire mode but I want to know if I can enable Enhanced Web Filtering in this mode. could you help me please?

I read this reference Understanding Secure Wire on Security Devices but it is nothing about web filtering.

Regards

Carlos Contreras

↧